Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Taking HTTPS Denial to an Absurd Level

Researcher Troy Hunt discovers as far as the internet has come in adopting HTTPS, it still has a ways to go.

Sometimes fighting good security is harder than embracing it. That appears to be the case with at least one company that went to great lengths to avoid insecure HTTPS browser security warnings from appearing on the thousands of sites it managed.

The company in question is ShopCity.com, a community-based business that gives brick-and-mortar retailers and municipalities a place to hang their shingles online. Recently Troy Hunt, who runs the Have I Been Pwned service, was tipped off to a unique act of security defiance.

ShopCity.com was using “pseudo password fields” to avoid Google Chrome and the Firefox browser from showing “Not Secure” warnings in the URL bars of the sites it managed.

After being tipped off to ShopCity.com’s activities, Hunt did some sleuthing and found sites managed by the company were avoiding HTTPS warning error messages by displaying what amounted to fake login screens.

“Firstly, the browser warnings about an insecure login only fire when there is an input type of ‘password,'” Hunt wrote in a blog post. He points out it might look like a password field, but it is not.

“Ah, it only says ‘Password’, it’s actually just a type of ‘textbox’. There’s a single CSS class on it for some visual styling but once clicking on the field, something magical happens.” That something is a script that runs.

“And now we have a totally new class on the field. Plus, of course, the onclick event on the input box itself sets the placeholder text to an empty string. So what does the class do? It merely changes the font.

“And as you’ve probably guessed by now, that ‘font’ is nothing other than a single disc per character designed to be a visual representation of the real disc you’d normally see when entering text into a proper password field,” Hunt wrote.

In the end, he said, “it’s a pseudo password field designed to fool the user and deny them of the browser’s visual warning designed to protect their password.”

In Hunt’s post on the incident he said he was tipped off by a user considering becoming a ShopCity.com user. The woman told Hunt when she asked ShopCity.com about the lack of security on its sites she was told “SSL is more about Google’s monopolizing visibility of content, and less to do with security.”

HTTPS is key to securing communications between a client and server and thwarting attacks such as the so-called Great Cannon attack. HTTPS is a combination of the HyperText Transfer Protocol (HTTPS) and the Secure Socket Layer (SSL) protocol. Together, HTTPS, encrypts communication sessions between a computer’s a web browser and a web server. The absence of HTTPS leaves that connection between browser and web server vulnerable to sniffing attacks.

For Hunt, the willful ignorance against security isn’t new. He cited an incident when Oil and Gas International was so miffed at an insecure password and login warning displayed on a Firefox browser it filed a bug report demanding the warning be removed.

So, is all this effort worth keeping your HTTPS head in the sand? According ShopCity.com the answer is “no.”

Threatpost spoke to Rob Calvert, network administrator for ShopCity.com, who said he was a bit embarrassed and surprised at the attention Hunt’s critique had brought his company.

“We found out about this when Troy Hunt brought it to our attention,” Calvert said. “The problem traces back to a junior developer who created this workaround to avoid the security warning. We had no idea what he had done.”

Calvert said after Hunt’s exposure, now all sites on ShopCity.com’s platform are displaying the insecure browser warning at the password login screen. He emphasized that only user login’s were insecure and that any transactions conducted with merchants online were facilitated through a PayPal shopping cart that uses HTTPS.

“I agree. It’s absurd to work so hard at making it seem these sites are secure when just using HTTPS is so much easier and safer for users,” Calvert said. “We are currently transitioning our users to HTTPS and we’ll be 100 percent there by the new year.”

If it takes them more than a week to fix this, they're toast. Or at least they should be.
If they can't turn everything to HTTPS-only in a week, they are not competent to be doing what they are trying to do.

Of course, google and all of their ilk are taking this cause celebre to the people, because, let's face it, they have no clue. Unless your a network engineer, you have no idea...those who do that I've talked to believe that the https thing is a bit overrated as a security paradigm above all others. It is good, and solves security problems that most folks don't know about (like defeats key loggers intercepting all but auth data). Having said that, the man-in-the-middle scenario that it is being touted for rarely happens, more likely that your ISP won't be sniffing passwords than the server that you're connecting to has already been compromised. That's what law enforcement does, putting their sniffer on the server, why bother cracking ssl/tls. Let's face it, the real supporters of SSL for every site are the commercial interests who want to block your web surfing from your employer, so that you can use facebook or let Google tap your data without those nasty network admins trying to manage content. Just saying...

In a word: wrong.
If a site does not use HTTPS, its traffic can be intercepted by anyone on the same LAN as the server or the client. Using the same cafe WiFi as others? They can capture everything you do. That means they can impersonate you to whatever sites you access that don't use HTTPS.
And on the other end, you cannot know what other entities are the same LAN or even the same IP address of the site you're talking to. for ShopCity.com, it's a metric buttload of other name-based virtual hosts on one IP: any of those might be under the control of a bad actor.
Failure to deploy HTTPS-only for websites is a solid indication of the webmaster being incompetent or grotesquely lazy. No one who still runs a port 80 web listener that does anything other than redirect clients to HTTPS on port 443 is broadcasting their inadequacy for their job.

The "junior dev" excuse needs to stop. How did a junior dev get such a change into production with no oversight without the more senior devs being incompetent or, in fact, the entire company being a shambles?

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.